On Dec 8, 2014, at 7:08 AM, Dean Goldhill <dgoldhill@netutils.com> wrote:
When using EAP PEAP or TTLS, if I try to write the ‘%{Module-Failure-Message}’ in the post-auth section to SQL, the value is blank when the reason is incorrect password. When using a non-tunnelled authentication protocol, it correctly displays ‘rlm_pap: CLEAR TEXT password check failed’
In v3.0.5, you need to cache the Module-Failure-Message - in inner-tunnel, post-auth-type Reject, do: update outer.session-state { Module-Failure-Message := &request:Module-Failure-Message } And then in the “default” virtual server, post-auth section, you can use: %{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}} Which says “use the saved message from the inner tunnel, but if that doesn’t exist, use the failure message from the outer session”.
I think I know why this is happening, because the rejection happens prior to the last message in the EAP sequence, so the value of the module-failure-message is no longer populated in the last message sent to the device, which is when the post-auth is done.
Yes. Alan DeKok.